Presentation is loading. Please wait.

Presentation is loading. Please wait.

Are these ads safe? Detecting hidden attacks through the mobile app-web interface Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan.

Published byDortha Jennifer Jefferson Modified over 6 years ago

Similar presentations

Presentation on theme: "Are these ads safe? Detecting hidden attacks through the mobile app-web interface Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan."— Presentation transcript:

1 Are these ads safe? Detecting hidden attacks through the mobile app-web interface
Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan Riley Presented by helen zhao

2 Mobile security problem
Mobile phones are everywhere Android has 80% of the world’s market share in mobiles But is particularly susceptible to malware and scams Unlike iOS Trojans are app applications that have some useful function but also hide a malicious function

3 Android security Users able to install apps from unverified sources
APKs from the internet Third Party App Stores Third party app stores are used almost exclusively in China May not have as robust integrity and security checks as the Google Play Store Unlike iOS Trojans are app applications that have some useful function but also hide a malicious function

4 Android attacks Trojans are the most common form of attacks as application sandboxing makes drive-by-download attacks difficult Trojans are applications that have some useful function but also hide some malicious behaviour Unlike iOS Trojans are app applications that have some useful function but also hide a malicious function

5 Where are these attacks coming from
Malicious applications Possibly benign, legitimate applications that are knowingly or unknowingly hosting malicious ads This paper focuses on the 2nd type These applications can be benign and legitimate, but unknowingly running malicious ads A lot of research has been done on applications that are malicious, this paper focuses on mobile attacks through advertisements

6 Ads in android Many applications on App Stores, lots of them free
Relies on revenue from ads Ads are links Ads can come from ad networks/aggregators, such as Google Ads These ads are connected to the web – hence are an app-web interface So to understand how attacks occur we have to first understand how ads work in the Android ecosystem

7 How are ads added to an app
Developer just embeds the ad into the app statically Ad network code (e.g. API call) is added to the app that is responsible for serving up ads

8 redirection When you click on an ad…
Ad networks generally don’t run independently: often bid with each other or through ad exchanges, or sell/delegate ad spaces to each other Leads to an ad being redirected many times, often through all the different ad network’s channels This is called the redirection chain The final ad page that the ad redirects to is called the landing page When you click on an ad it often doesn’t just redirect to the ad

9 Goal of the paper Analyse and understand mobile attacks through ads via the app-web interface How? Creating an analysis tool, deploying it for 2 months and analysing 600,000 applications in the US and in China

10 How the tool works The tool is an analysis framework that follows three steps Triggering the UI – clicking on all the web links Detecting malicious content in triggered pages Provenance – Determining where and from whom the malicious content originated

11 How: triggering the ui Can’t just use static analysis on the app to identify ad links as ad networks dynamically load the ads Created automated tool that ran applications in an emulator in a virtual machine – dynamic app analysis Extracted features and code elements from displayed UI and constructed a hierarchy of the widgets within in e.g. buttons, panels

12 Issues with triggering ui
Ran into issues with WebViews, as appeared opaque, flat UI hierarchy Used graphics based algorithm to find clickable buttons/widgets Looks for convex, bounded contours

13 Capturing information
To analyse the information, needed to capture and store: the links redirection chains landing pages

14 Capturing information
Redirection chains Created custom browser that behaves as an user would Gets around time-based checks, e.g. by Google to prevent ad click fraud Landing Pages Landing pages were dynamically analysed, and every web link within recorded and visited Often landing pages ask the user to download some file – potential trojans Stored and recorded any files downloaded

15 Detecting malicious content
Used information in the VirusTotal system to determine whether a URL/file is malicious or not VirusTotal is a database that aggregates results from 50+ blacklists and 50+ anti-virus systems Checked all the URLs/downloaded files against VirusTotal Anti-viruses are prone to false positives, therefore a file/URL needed to be flagged by three different systems for the authors to consider the links malicious

16 provenance Once a malicious URL or file is detected, need to:
Determine where the malicious content originated Find who is responsible for the malicious content

17 provenance Two types of malicious ads:
Ads redirecting to malicious landing pages Examine redirection chain to find out who owns the URLs finally redirecting to the malicious page Malicious links embedded in the application Need to find which block of code called the link Could be ad network code or developer code If it was ad network code

18 Finding the responsible ad network
Method used: Identified loosely coupled libraries Clustered them according to their set of API endpoints Manually determined if a cluster was an ad network based on the library Identified 201 unique ad networks Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

19 Tool summary Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

20 Deployment System was run in Northwestern University Campus in US and Zhejiang University Campus in China Location is important for ads Ran for two months Required little human intervention Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

21 results App to web link launches 1,000,000 415,000 Malicious URLs 948
CHINA App to web link launches 1,000,000 415,000 Malicious URLs 948 1475 Unique domains hosting above malicious URLs 64 139 Malicious / Total file downloads from landing pages 271/468 ~ 58% 435/1097 ~40% Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

22 results These graphs show the length of the redirection chain and the number of occurrences. As you can see, the number of malicious links as a percentage of the number of total links increase as the redirection chain gets longer Longer the redirection chain, the higher fraction of redirections are malicious US China

23 results These graphs show the number of malicious files downloaded and the ad networks responsible Higher diversity and higher number of malicious downloads in Chinese deployment – most likely due to the fact the Android ecosystem is not centered around Google Play, but instead around web and third-party application stores One ad network, Tapcontext was excluded as the numbers were too big US China

24 Scams detected Armor for Android anti-virus scan trojan accounted for 244/271 malicious apps downloaded in US, and 102/435 malicious apps downloaded in China Run by malicious ad network Tapcontext Caught by the tool at least 20 days before Google Safebrowsing caught it Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

25 Other Scams detected Win free iPhone/iPad Fake Movie Player Malware
Personal information gathering Fake Movie Player Malware SMS trojans Loosely coupled means there are some field/method references and class inheritance, but not many Comes with error but that was tolerable

26 REflection Good: Wide-reaching – 600,000 apps tested in two countries
Created a tool that can be used by government agencies/Google Well-researched, many algorithms and tool were based on previous studies

27 criticism Improvements and Issues:
Applications that used native code excluded (30%) Tool relied on dynamic triggering of ads – may have been malicious ads in an ad library that wasn’t triggered UI Triggering was blocked by things such as login screens Ethics – running the experiment involved clicking on ads and generating revenue for ad networks Malware detection relied entirely on VirusTool and its database Focuses on identifying well-known malware instead of new malware

28 THANK YOU

Download ppt "Are these ads safe? Detecting hidden attacks through the mobile app-web interface Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.

Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Presentation By Deepak Katta

Presentation By Deepak Katta
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Data Security.

Data Security.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영 2015. 04. 21.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
London April 2005 London April 2005 Creating Eyeblaster Ads The Rich Media Platform The Rich Media Platform Eyeblaster.

London April 2005 London April 2005 Creating Eyeblaster Ads The Rich Media Platform The Rich Media Platform Eyeblaster.
London April 2005 London April 2005 Creating Eyeblaster Ads The Rich Media Platform The Rich Media Platform Eyeblaster.

London April 2005 London April 2005 Creating Eyeblaster Ads The Rich Media Platform The Rich Media Platform Eyeblaster.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Introduction www.kalmstrom.com With TimeCard users can tag SharePoint events with information that converts them into time sheets. This way they can report.

Introduction With TimeCard users can tag SharePoint events with information that converts them into time sheets. This way they can report.
ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.

ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.
IPSOS / Vodafone / Novartis Kenya 17 December 2014.

IPSOS / Vodafone / Novartis Kenya 17 December 2014.
1 Mezzanine Ware (Pty) Ltd © 2014 Installing\Uninstalling the Mezzanine Helium Android application.

1 Mezzanine Ware (Pty) Ltd © 2014 Installing\Uninstalling the Mezzanine Helium Android application.
The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol

The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol
Detecting Hidden Attacks through the Mobile App-Web Interfaces Yan Chen Lab of Internet and Security Technology (LIST) Northwestern University, USA.

Detecting Hidden Attacks through the Mobile App-Web Interfaces Yan Chen Lab of Internet and Security Technology (LIST) Northwestern University, USA.
Chapter 6 Discovering the Scope of the Incident Spring 2016 - Incident Response & Computer Forensics.

Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.

Similar presentations

Ads by Google